Go-away – Customizable, conditional challenges to incoming requests

Summary

Challenges Operators can choose to serve a challenge to incoming requests or client, depending on conditions or other rules. Challenges can be transparent (not shown to user, depends on backend or other logic), non-JavaScript (challenges common browser properties), or custom JavaScript (from Proof of Work to fingerprinting or Captcha is supported) The following examples are defined in policy snippets and are ready to use. Challenges can be redefined or new ones entirely can be added with different configuration. Transparent http Verify incoming requests against a specified backend to allow the user through. Cookies and some other headers are passed. For example, this allows verifying the user cookies against the backend to have the user skip all other challenges. Most request headers (including cookies / authorization) and other general headers from go-away are sent, some additional ones are set, of note: Header Description X-Away-Method Original request HTTP Method X-Away-Host Original request HTTP Host X-Away-Path Original request URL Path X-Away-Query Original request URL Query Example on Forgejo, checks that current user is authenticated: challenges: http-cookie-check: runtime: http parameters: http-url: http://forgejo:3000/user/stopwatches # http-url: http://forgejo:3000/repo/search # http-url: http://forgejo:3000/notifications/new http-method: GET http-cookie: i_like_gitea http-code: 200 verify-probability: 0.1 preload-link Requires HTTP/2+ response parsing and logic, silent challenge (does not display a challenge page). Browsers that support 103 Early Hints are indicated to fetch a CSS resource via Link preload that solves the challenge. The server waits until solved or defined timeout, then continues on other challenges if failed. Configured default is 2 seconds. Example: challenges: preload-link: condition: '"Sec-Fetch-Mode" in headers && headers["Sec-Fetch-Mode"] == "navigate"' runtime: "preload-link" parameters: preload-early-hint-deadline: 2s dnsbl You c...